diff --git a/pkg/issuer/vault/issue.go b/pkg/issuer/vault/issue.go
index a00e8c0e1..d2c84bc5a 100644
--- a/pkg/issuer/vault/issue.go
+++ b/pkg/issuer/vault/issue.go
@@ -100,7 +100,7 @@ func (v *Vault) initVaultClient() (*vault.Client, error) {
 	if tokenRef.Name != "" {
 		token, err := v.vaultTokenRef(tokenRef.Name, tokenRef.Key)
 		if err != nil {
-			return nil, fmt.Errorf("error reading Vault token from secret %s/%s: %s", v.issuerResourcesNamespace, tokenRef.Name, err.Error())
+			return nil, fmt.Errorf("error reading Vault token from secret %s/%s: %s", v.resourceNamespace, tokenRef.Name, err.Error())
 		}
 		client.SetToken(token)
 
@@ -124,7 +124,7 @@ func (v *Vault) initVaultClient() (*vault.Client, error) {
 func (v *Vault) requestTokenWithAppRoleRef(client *vault.Client, appRole *v1alpha1.VaultAppRole) (string, error) {
 	roleId, secretId, err := v.appRoleRef(appRole)
 	if err != nil {
-		return "", fmt.Errorf("error reading Vault AppRole from secret: %s/%s: %s", appRole.SecretRef.Name, v.issuerResourcesNamespace, err.Error())
+		return "", fmt.Errorf("error reading Vault AppRole from secret: %s/%s: %s", appRole.SecretRef.Name, v.resourceNamespace, err.Error())
 	}
 
 	parameters := map[string]string{
@@ -221,7 +221,7 @@ func (v *Vault) requestVaultCert(commonName string, altNames []string, csr []byt
 func (v *Vault) appRoleRef(appRole *v1alpha1.VaultAppRole) (roleId, secretId string, err error) {
 	roleId = strings.TrimSpace(appRole.RoleId)
 
-	secret, err := v.secretsLister.Secrets(v.issuerResourcesNamespace).Get(appRole.SecretRef.Name)
+	secret, err := v.secretsLister.Secrets(v.resourceNamespace).Get(appRole.SecretRef.Name)
 	if err != nil {
 		return "", "", err
 	}
@@ -233,7 +233,7 @@ func (v *Vault) appRoleRef(appRole *v1alpha1.VaultAppRole) (roleId, secretId str
 
 	keyBytes, ok := secret.Data[key]
 	if !ok {
-		return "", "", fmt.Errorf("no data for %q in secret '%s/%s'", key, appRole.SecretRef.Name, v.issuerResourcesNamespace)
+		return "", "", fmt.Errorf("no data for %q in secret '%s/%s'", key, appRole.SecretRef.Name, v.resourceNamespace)
 	}
 
 	secretId = string(keyBytes)
@@ -243,7 +243,7 @@ func (v *Vault) appRoleRef(appRole *v1alpha1.VaultAppRole) (roleId, secretId str
 }
 
 func (v *Vault) vaultTokenRef(name, key string) (string, error) {
-	secret, err := v.secretsLister.Secrets(v.issuerResourcesNamespace).Get(name)
+	secret, err := v.secretsLister.Secrets(v.resourceNamespace).Get(name)
 	if err != nil {
 		return "", err
 	}
@@ -254,7 +254,7 @@ func (v *Vault) vaultTokenRef(name, key string) (string, error) {
 
 	keyBytes, ok := secret.Data[key]
 	if !ok {
-		return "", fmt.Errorf("no data for %q in secret '%s/%s'", key, name, v.issuerResourcesNamespace)
+		return "", fmt.Errorf("no data for %q in secret '%s/%s'", key, name, v.resourceNamespace)
 	}
 
 	token := string(keyBytes)
diff --git a/pkg/issuer/vault/vault.go b/pkg/issuer/vault/vault.go
index fd11aadb9..f214cb89f 100644
--- a/pkg/issuer/vault/vault.go
+++ b/pkg/issuer/vault/vault.go
@@ -1,64 +1,37 @@
 package vault
 
 import (
-	"k8s.io/client-go/kubernetes"
 	corelisters "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/record"
 
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
-	clientset "github.com/jetstack/cert-manager/pkg/client/clientset/versioned"
+	"github.com/jetstack/cert-manager/pkg/controller"
 	"github.com/jetstack/cert-manager/pkg/issuer"
 )
 
 type Vault struct {
+	*controller.Context
 	issuer v1alpha1.GenericIssuer
 
-	client   kubernetes.Interface
-	cmclient clientset.Interface
-	recorder record.EventRecorder
-
 	secretsLister corelisters.SecretLister
 
-	// issuerResourcesNamespace is a namespace to store resources in. This is
-	// here so we can easily support ClusterIssuers with the same codepath. By
-	// setting this field to either the namespace of the Issuer, or the
-	// clusterResourceNamespace specified on the CLI, we can easily continue
-	// to work with supplemental (e.g. secrets) resources without significant
-	// refactoring.
-	issuerResourcesNamespace string
+	// Namespace in which to read resources related to this Issuer from.
+	// For Issuers, this will be the namespace of the Issuer.
+	// For ClusterIssuers, this will be the cluster resource namespace.
+	resourceNamespace string
 }
 
-func NewVault(issuerObj v1alpha1.GenericIssuer,
-	cl kubernetes.Interface,
-	cmclient clientset.Interface,
-	recorder record.EventRecorder,
-	resourceNamespace string,
-	secretsLister corelisters.SecretLister) (issuer.Interface, error) {
+func NewVault(ctx *controller.Context, issuer v1alpha1.GenericIssuer) (issuer.Interface, error) {
+	secretsLister := ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister()
 
 	return &Vault{
-		issuer:                   issuerObj,
-		client:                   cl,
-		cmclient:                 cmclient,
-		recorder:                 recorder,
-		issuerResourcesNamespace: resourceNamespace,
-		secretsLister:            secretsLister,
+		Context:           ctx,
+		issuer:            issuer,
+		secretsLister:     secretsLister,
+		resourceNamespace: ctx.IssuerOptions.ResourceNamespace(issuer),
 	}, nil
 }
 
 // Register this Issuer with the issuer factory
 func init() {
-	issuer.Register(issuer.IssuerVault, func(issuer v1alpha1.GenericIssuer, ctx *issuer.Context) (issuer.Interface, error) {
-		issuerResourcesNamespace := issuer.GetObjectMeta().Namespace
-		if issuerResourcesNamespace == "" {
-			issuerResourcesNamespace = ctx.ClusterResourceNamespace
-		}
-		return NewVault(
-			issuer,
-			ctx.Client,
-			ctx.CMClient,
-			ctx.Recorder,
-			issuerResourcesNamespace,
-			ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister(),
-		)
-	})
+	controller.RegisterIssuer(controller.IssuerVault, NewVault)
 }